debug@4.2.0 used in Mocha is creating deprecation warnings

[YasharF]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• [n/a] Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

When adding Mocha to a project for the first time or regenerating package-json for a project, the following warning appears:

npm WARN deprecated debug@4.2.0: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)

Steps to Reproduce

$ mkdir test1
$ cd test1
$ npm init
 (just press enter for each prompt)
$ npm install mocha --save-dev

Expected behavior: [What you expect to happen]
npm adds mocha to the project without any deprecation warning.

Actual behavior: [What actually happens]

npm WARN deprecated debug@4.2.0: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.2 (node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN a@1.0.0 No description
npm WARN a@1.0.0 No repository field.

• mocha@8.2.1
  added 101 packages from 51 contributors and audited 102 packages in 9.219s

16 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

Reproduces how often: [What percentage of the time does it reproduce?]
100%

Versions

8.2.1

• The output of mocha --version and node node_modules/.bin/mocha --version: 8.2.1 (local) , no global version installed
• The output of node --version: v12.20.0
• Your operating system
  • name and version: Ubuntu - WSL 2
  • architecture (32 or 64-bit): 64-bit
• Your shell (e.g., bash, zsh, PowerShell, cmd): WSL2
• Your browser and version (if running browser tests): n/a
• Any third-party Mocha-related modules (and their versions): n/a
• Any code transpiler (e.g., TypeScript, CoffeeScript, Babel) being used (and its version): n/a

[Maxgit3]

it looks from the issue that it should only affect those who are using unsanitized input from a user

debug-js/debug#797

[AviVahl]

it looks from the issue that it should only affect those who are using unsanitized input from a user

visionmedia/debug#797

Like the following?
https://github.com/mochajs/mocha/blob/v8.2.1/lib/cli/cli.js#L38

[outsideris]

I believe we don't use %o with user input now.

debug team said like:

You are only affected if you pass un-sanitized, long user input to debug(ns)(...) - specifically, by way of the %o formatter - in Node.js. All other cases are unaffected.

https://github.com/mochajs/mocha/blob/v8.2.1/lib/cli/cli.js#L38 doesn't look that case.

[AviVahl]

Not sure why this was closed. The deprecation message is still shown when installing mocha, security vulnerability or not.

[YasharF]

@outsideris The issue isn't necessarily that there might be an open attack vector in mocha. The issue is an out-of-the-box Warning popping up that Mocha is using deprecated and vulnerable dependencies. We can not ship code to clients if the first thing that they see during the deployment is a warning about the usage of deprecated software with known vulnerabilities.

Can you please reopen this issue and resolve it when the version of debug has been updated? Thank you!

[msankar1991]

Installation time its getting above same kind error with Loopback framework.

[outsideris]

I've closed it because I can't find an attack vector in real and we cannot release new versions right after upgrading debug module.
However, I understood how annoying the warning messages are.

[juergba]

closed by #4556